On April 8, 2025, the EDPB adopted the Guidelines 02/2025 on the Processing of Personal Data via Blockchain Technologies, now open for public consultation until June 9. This document is a key reference to clarify the main friction points between the immutable and decentralised architecture of blockchain and GDPR principles.
Key Insights
- Addresses rights of data subjects concerning immutability, offering alternative techniques like data segregation off-chain.
- Highlights the need for human intervention and the right to contest in automated decisions via smart contracts.
- Encourages careful selection of blockchain technology architecture based on risks to data subjects’ rights.
- Recommends updating privacy documentation to reflect measures taken and governance structures.
- Calls for clarity on ownership and co-ownership of data processing in decentralised contexts.
Why should I read this?
If you’re dealing with data privacy in relation to blockchain, this piece is essential reading. It breaks down new guidelines that may just shape how you handle data rights and responsibilities in your organisation, ultimately saving you potential headaches later on.
The EDPB also published insights into AI and privacy risks associated with large language models, which you can read more about in a complete article found here.
NIS 2: Second Phase of Adjustment for Essential and Important Subjects
The National Cybersecurity Agency (ACN) has officially launched the second phase of the implementation of the NIS 2 Directive by outlining minimum cybersecurity measures and incident notification requirements for service providers.
Key Insights
- Defined obligations for essential and important entities under the NIS 2 Directive.
- Notes a timeline for the adoption of minimum security measures with a deadline of 18 months from notification.
- Sets out obligations for basic incident notification within 9 months of receiving NIS national listing communication.
Why should I read this?
This is a timely wake-up call for all entities subject to the NIS Directive. Staying ahead of the upcoming deadlines and implementing these measures will ensure compliance and protect against significant cybersecurity risks.
Ubisoft Under Investigation: Offline Mode Violating GDPR
NOYB has filed a complaint against Ubisoft for alleged GDPR violations regarding the requirement of an internet connection during single-player gaming sessions, raising questions about data collection practices.
Key Insights
- Ubisoft’s “Far Cry Primal” generates numerous DNS requests without user consent during offline play.
- The complaint cites GDPR Article 6(1), asserting that online connectivity is unnecessary for game ownership verification.
Why should I read this?
This case has the potential to set a precedent in the tech and gaming industry regarding data transparency and consent. It’s a crucial reminder for all businesses to ensure their data practices are not only lawful but clearly communicated to users.